Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACLs not working for ping/dns and other router operations

I have an 1800 series router configured with reflexive ACLs that is working just fine for traffic passing between the internal and external interfaces.

The issue I'm having is that if I ping or use DNS from the ios command line, the traffic doesn't appear to get added to the reflexive ACL for the inbound interface. It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?

if I just put permit ip any any on the inbound ACL, everything works, but that defeats the purpose of my original relexive ACL.

thanks, Simon

4 REPLIES
Hall of Fame Super Blue

Re: ACLs not working for ping/dns and other router operations

Simon

"It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?"

This is exactly what happens ie. an outbound acl has no effect on traffic orginated by the router. This is normal behaviour so you don't really resolve it.

Jon

New Member

Re: ACLs not working for ping/dns and other router operations

Ok, thanks - saved me a lot of time.

Simon

Hall of Fame Super Silver

Re: ACLs not working for ping/dns and other router operations

Simon

In fact packets generated by the router itself do bypass outbound access lists. I have not been in this particular situation, so I do not have any solution from experience. But it seems to me that you certainly do not want permit ip any any, but perhaps you can develop a list of the things that you do send from the router and put in permits for that specific traffic to that specific destination address. Or perhaps you might put in:

permit ip any host

which would permit only things addressed to the router interface.

HTH

Rick

New Member

Re: ACLs not working for ping/dns and other router operations

Yes, I plan on constructing ACLs for the specific things I need, mainly DNS. The issue with an ACL for the outside interface is that it's a DHCP enabled WAN port so I don't have the IP address as a constant value.

so for DNS is has to be:

permit udp host eq domain any

Simon

253
Views
0
Helpful
4
Replies
CreatePlease login to create content